rkhunter throws warnings and I'm wondering why...

obfusc8 · 2013-10-27 12:07:02

Hello all!

I'm fairly new to Arch Linux. I've been using it as my main desktop OS for about 3 weeks now. Now, I've always been pretty paranoid when it comes to security, and especially rootkits and malware, so I'm just looking for a few answers regarding rkhunter's output. I'm pretty sure that I don't have anything malicious on the machine, since it's only a few weeks old, I always practise browsing with NoScript, a firewall is active and there are no open ports on the computer. This is not to mention that I am running no services such as VNC or SSH anyway. A run of rkhunter -c --rwo prints the following:

Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable
Warning: The file '/usr/bin/lsof' does not exist on the system, but it is present in the rkhunter.dat file.
Warning: Checking for possible rootkit strings    [ Warning ]
         No system startup files found.
Warning: Promiscuous network interface check skipped - unable to find the 'ifconfig' command.
Warning: No system startup files found.
Warning: The syslog daemon is not running.
Warning: Suspicious file types found in /dev:
         /dev/shm/pulse-shm-842957700: data
         /dev/shm/pulse-shm-2584298159: data
         /dev/shm/pulse-shm-2011933752: data
         /dev/shm/pulse-shm-1939953899: data
         /dev/shm/pulse-shm-737502606: data
Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression

All of these warning, excluding the rootkit strings and /usr/bin/lsof have been there since the first day of installation. Because of this, I am 99.9% sure that at least most of these are false positives. I'm fairly sure that /usr/bin/ldd is a known false positive, as am I sure that the hidden compressed man pages are also false positives. The suspicious data files look like they might belong to PulseAudio, and the syslog daemon warning, if I'm not mistaken, is because Arch uses journald as a replacement by default.

I'm looking for some insight as to why some of these occur. In particular, the rootkit strings (a warning that appears to be thrown by rkhunter being unable to find system startup files) and the startup files warning. The /usr/bin/lsof warning is probably due to an update that I just ran, too. Here are a few questions I have to ask!

Does Arch use different startup files or startup in a different way compared to other distributions?
Is rkhunter only throwing warnings when looking for rootkit strings because the files it is searching (system startup files) are not where they are expected to be?
Has anybody else had experience with similar warnings?

Thanks in advance, I appreciate it!
obfusc8

Last edited by obfusc8 (2013-10-27 12:07:58)

stqn · 2013-10-27 16:16:24

Here’s what rkhunter is telling me:

Warning: Checking for prerequisites               [ Warning ]
         The file of stored file properties (rkhunter.dat) does not exist, and should be created. To do this type in 'rkhunter --propupd'.
Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
         is used, all the files on their system are known to be genuine, and installed from a
         reliable source. The rkhunter '--check' option will compare the current file properties
         against previously stored values, and report if any values differ. However, rkhunter
         cannot determine what has caused the change, that is for the user to do.
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/bin/vendor_perl/GET' has been replaced by a script: /usr/bin/vendor_perl/GET: Perl script, ASCII text executable
Warning: Suckit Rookit additional checks          [ Warning ]
         Error from '/usr/bin/stat' command when checking '/sbin/init'
Warning: The SSH configuration option 'PermitRootLogin' has not been set.
         The default value may be 'yes', to allow root access.
Warning: The SSH configuration option 'Protocol' has not been set.
         The default value may be '2,1', to allow the use of protocol version 1.
Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression

WRT to your question 1: looks like rkhunter is not systemd-aware.

obfusc8 · 2013-10-27 17:03:36

Ah, that makes sense...

Why aren't you getting the same warning as me? Presumably, you're using a different system/service manager than systemd, hence why you aren't receiving the warnings. Either this, or you've edited your rkhunter.conf and made it aware of systemd's startup files, or perhaps even surpressed the warning.

stqn · 2013-10-27 17:39:35

I am (unfortunately) using systemd, and haven’t edited rkhunter’s conf.

Let’s take the different warnings one by one…

- lsof: I have the lsof package installed.
- ifconfig: I have the net-tools package installed.
- No system startup files found: maybe it is because I have a /etc/rc.d/ directory?
I have it because of esound and i2p. esound, I see, is not in the official repos and isn’t required by anything I have installed. Maybe I installed it for an Humble Indie Bundle game… i2p also comes from the AUR and I haven’t used or updated it in a while…
- syslog: I have syslog-ng installed and running.
- /dev/shm/pulse-shm-*: I’m not using pulseaudio. I wouldn’t worry about these as /dev/shm is a ram-disk and it was made to contains various files…

Now for my warnings…
- perl: I don’t know, probably harmless like the ldd warning…
- Error from '/usr/bin/stat' command when checking '/sbin/init'
Looks like you have systemd-sysvcompat installed and not me. (That might explain why I had problems updating syslinux recently, looks like the syslinux documentation and default config file assume everyone has systemd-sysvcompat installed…)
- ssh: whatever, I don’t have an ssh server running anyway.

obfusc8 · 2013-10-27 17:47:13

Aha, I don't have an /etc/rc.d directory -- that's probably the reason as to why. I was aware of most of them being false positives, but thank you so much for clearing stuff up for me. I seriously appreciate it.

cfr · 2013-10-29 04:18:41

stqn wrote:

- ssh: whatever, I don’t have an ssh server running anyway.

And the default only allows protocol 1 if you explicitly enable it...

Arch Linux

#1 2013-10-27 12:07:02

rkhunter throws warnings and I'm wondering why...

#2 2013-10-27 16:16:24

Re: rkhunter throws warnings and I'm wondering why...

#3 2013-10-27 17:03:36

Re: rkhunter throws warnings and I'm wondering why...

#4 2013-10-27 17:39:35

Re: rkhunter throws warnings and I'm wondering why...

#5 2013-10-27 17:47:13

Re: rkhunter throws warnings and I'm wondering why...

#6 2013-10-29 04:18:41

Re: rkhunter throws warnings and I'm wondering why...

Board footer